Obama executive order redefines critical infrastructure
More companies could get designated as part of the sector under this week's presidential cybersecurity order
Computerworld - President Barack Obama's cybersecurity executive order, signed on Tuesday, could significantly expand the list of companies categorized as part of U.S. critical infrastructure sector, security experts said Wednesday.
The executive order requires federal agencies and critical infrastructure owners and operators to work cooperatively to minimize cyber risks and strengthen resilience to attacks. It also calls for the creation of new consensus security standards and best practices that critical infrastructure companies will be urged, but not mandated, to follow.
The order stems from what the White House has long said is the need for immediate action to protect critical assets against cyber threats.
Administration officials contended that the order was necessary because Congress has so far failed to adequately update cybersecurity legislation.
A key piece of the executive order is requires federal agencies overseeing critical infrastructure areas to identify organizations "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."
Such entities will then be designated as part of the U.S. critical infrastructure.
The order gives the Department of Homeland Security (DHS) and sector-specific federal agencies 150 days to use a risk-based assessment approach to identify such organizations. Owners and operators of those businesses will then be notified by the DHS.
The order allows businesses to challenge a classification and ask to for reconsideration.
A separate Presidential Policy Directive (PPD-21) released on Tuesday scraps the previous national policy for federal agencies and departments to identify and prioritize critical infrastructure. That policy had been established under Homeland Security Presidential Directive-7 (HSPD-7) of 2003.
"This PPD updates our policy from a primary focus on protecting critical infrastructure against terrorism to protecting, securing, and making the nation's critical infrastructure more resilient to all hazards - including natural disasters, manmade threats, pandemics, and cyber attacks," a spokeswoman from the White House's National Security Council told Computerworld via email Wednesday.
"The PPD is focused on clarifying Federal roles and responsibilities; integrating physical security and cybersecurity analysis and situational awareness; improving information sharing; and having the Federal government function more effectively to be a better partner to the critical infrastructure owners and operators," she added.
The Presidential directive identifies 16 critical infrastructure sectors, including the Chemical, Commercial Facilities, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Financial Services, Information Technology, Nuclear Reactors and Water and Wastewater systems.
The DHS is the designated federal agency for 10 of these sectors, including IT, Critical Manufacturing and Communication. The Treasury Department will oversee the identifying of critical infrastructure entities within the financial services sector while the Department of Defense will oversee the Defense Industrial Base sector.
The language in the executive order significantly broadens the number of entities that can be classified as being part of the country's critical infrastructure, said Andrew Serwin, chair of the privacy, security and information management practice at law firm Foley & Lardner LLP.
The order defines critical infrastructure as any organization and associated systems where a cyberattack could pose a threat to U.S. national security, public safety and health or economic interests.
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts