Obama executive order redefines critical infrastructure
So businesses that support or partner with companies and federal agencies from the listed as part of the critical infrastructure sector could be designated as well. "I think that you could see a variety of other industries getting sucked into the definition of critical infrastructure," Serwin said.
It's unclear yet what risk criteria the federal agencies will use to identify entities, he said. "But you could see a scenario where any business of a certain size" could be considered critical.
Obama's order does not require private sector owners and operators of critical infrastructure to adopt any of the new security standards and best practices. But they will be pressured to adopt them anyway from a due diligence standpoint, Serwin maintained.
"There are huge brand issues with cybersecurity and privacy," Serwin said. "If you are in a designated critical infrastructure category, you don't want to be the company that didn't follow the recommendations."
A wide range of companies from the health care, IT, financial services and other sectors need to determine whether they could be designated as part of the critical infrastructure sector under the executive order, said David Ransom, a partner at law firm McDermott Will & Emery.
The DHS secretary appears to have been given wide latitude to designate critical infrastructure under the order, Ransom said. The language leaves open the possibility that a wide range of private sector entities from a spectrum of industries could get classified as critical infrastructure.
"What their view is going to be remains to be seen," he said.
The executive order's open-ended definition of critical infrastructure gives the DHS and sector specific federal agencies the ability "to cast a wide net in the process of identifying which companies and their associated assets and systems might be included within their statutory capacity," said John South, chief security officer at Heartland Payment Systems.
The key question though is whether broadening the list of companies will make much of a difference in heading off cybersecurity threats, South said.
Efforts to define critical infrastructure entities goes back as far as 1998 at least, he noted. Considerable progress has already been made in identifying information sharing capabilities of the sort described in the executive order, South added.
"Nothing in this directive clarifies what timely information sharing is and how this differs from where we are currently," he said. "If there is no substantive product that provides actionable, timely intelligence - regardless of how wide the net of critical infrastructure is cast - we haven't advanced very much."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- New report says cyberspying group linked to China's army
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts