It has been an interesting time for those that care about cyber security. Last week, the European Union introduced its formative cybersecurity strategy and draft directive on network and information security to better protect critical systems from security incidents and breaches. Two days ago, the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The White House also issued Presidential Policy Directive 21 on critical infrastructure security and resilience to augment existing policy and enhance existing capabilities, partnerships, and strategies. Yesterday, a bill was also introduced on the Cyber Intelligence Sharing and Protection Act (CISPA) which will continue the important dialogue on the exchange of cyber threat information to help manage cyber risks.
When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts. It is important to see these principles reflected in the Executive Order for three reasons. First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it. Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks. Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.
Even if based upon the right principles, we will still need collaborative and thoughtful implementation to help ensure that efficient and effective security goals are achieved. More specifically, the Executive Order highlights a consultative process for engaging with critical infrastructure owners and operators, including leveraging existing public-private partnerships and expanding the information sharing pilot program currently underway with defense contractors. It expands exchange programs that bring in private-sector subject matter experts into Federal service on a temporary basis to provide advice and guidance on managing cyber risks. It aims to provide flexibility to owners and operators of critical infrastructures to help provide a more dynamic ability to manage risk and respond to issues. Finally, it leverages voluntary, consensus-based standards and directs activities to explore the interplay and benefits that voluntary incentives and Federal procurement could produce before creating additional requirements.
As the Executive Order moves from release to implementation, it will remain important that government and industry work together to manage carefully the most significant risks to our most critical infrastructures. To that end, we must remain focused on the desired security outcomes and recognize that owners and operators of critical infrastructures must retain the flexibility to manage risks with agility, implementing practices and controls that are both practical and effective. Continued collaboration between the government and the private sector will be essential in ensuring the success of this Executive Order and, recognizing the global nature of the Internet, we must also work with others around the world to ensure that policies and practices that result from the Executive Order scale globally.
Even as the Executive Order is implemented, I expect that we will see numerous legislative efforts related to cyber security in the coming months. We look forward to working with the Administration and Congress in our efforts to enhance cyber security, protect privacy and ensure the continued innovation of information technology.