Sec. 4. Cybersecurity Information
Sharing. (a) It is the policy of the United States Government to increase
the volume, timeliness, and quality of cyber threat information shared with
U.S. private sector entities so that these entities may better protect and
defend themselves against cyber threats. Within 120 days of the date of this
order, the Attorney General, the Secretary of Homeland Security (the
"Secretary"), and the Director of National Intelligence shall each
issue instructions consistent with their authorities and with the requirements
of section 12(c) of this order to ensure the timely production of unclassified
reports of cyber threats to the U.S. homeland that identify a specific targeted
entity. The instructions shall address the need to protect intelligence and law
enforcement sources, methods, operations, and investigations.
(b) The Secretary
and the Attorney General, in coordination with the Director of National
Intelligence, shall establish a process that rapidly disseminates the reports
produced pursuant to section 4(a) of this order to the targeted entity. Such
process shall also, consistent with the need to protect national security
information, include the dissemination of classified reports to critical
infrastructure entities authorized to receive them. The Secretary and the
Attorney General, in coordination with the Director of National Intelligence,
shall establish a system for tracking the production, dissemination, and
disposition of these reports.
(c) To assist the
owners and operators of critical infrastructure in protecting their systems
from unauthorized access, exploitation, or harm, the Secretary, consistent with
6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within
120 days of the date of this order, establish procedures to expand the Enhanced
Cybersecurity Services program to all critical infrastructure sectors. This
voluntary information sharing program will provide classified cyber threat and
technical information from the Government to eligible critical infrastructure
companies or commercial service providers that offer security services to
critical infrastructure. . . .
(e) In order to maximize the utility of cyber
threat information sharing with the private sector, the Secretary shall expand
the use of programs that bring private sector subject-matter experts into
Federal service on a temporary basis. These subject matter experts should
provide advice regarding the content, structure, and types of information most
useful to critical infrastructure owners and operators in reducing and
mitigating cyber risks.
***
Sec. 7. Baseline Framework to
Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce
shall direct the Director of the National Institute of Standards and Technology
(the "Director") to lead the development of a framework to reduce
cyber risks to critical infrastructure (the "Cybersecurity
Framework"). The Cybersecurity Framework shall include a set of standards,
methodologies, procedures, and processes that align policy, business, and
technological approaches to address cyber risks. The Cybersecurity Framework
shall incorporate voluntary consensus standards and industry best practices to
the fullest extent possible. The Cybersecurity Framework shall be consistent
with voluntary international standards when such international standards will
advance the objectives of this order, and shall meet the requirements of the
National Institute of Standards and Technology Act, as amended (15 U.S.C. 271
et seq.), the National Technology Transfer and Advancement Act of 1995 (Public
Law 104-113), and OMB Circular A-119, as revised.
(b) The Cybersecurity
Framework shall provide a prioritized, flexible, repeatable, performance-based,
and cost-effective approach, including information security measures and
controls, to help owners and operators of critical infrastructure identify,
assess, and manage cyber risk. The Cybersecurity Framework shall focus on
identifying cross-sector security standards and guidelines applicable to
critical infrastructure. The Cybersecurity Framework will also identify areas
for improvement that should be addressed through future collaboration with
particular sectors and standards-developing organizations. To enable technical
innovation and account for organizational differences, the Cybersecurity
Framework will provide guidance that is technology neutral and that enables
critical infrastructure sectors to benefit from a competitive market for
products and services that meet the standards, methodologies, procedures, and
processes developed to address cyber risks. The Cybersecurity Framework shall
include guidance for measuring the performance of an entity in implementing the
Cybersecurity Framework.
***
Sec. 8. Voluntary Critical
Infrastructure Cybersecurity Program. (a) The Secretary, in coordination
with Sector-Specific Agencies, shall establish a voluntary program to support
the adoption of the Cybersecurity Framework by owners and operators of critical
infrastructure and any other interested entities (the "Program").
(b)
Sector-Specific Agencies, in consultation with the Secretary and other
interested agencies, shall coordinate with the Sector Coordinating Councils to
review the Cybersecurity Framework and, if necessary, develop implementation
guidance or supplemental materials to address sector-specific risks and
operating environments.
(c)
Sector-Specific Agencies shall report annually to the President, through the
Secretary, on the extent to which owners and operators notified under section 9
of this order are participating in the Program.
(d) The Secretary
shall coordinate establishment of a set of incentives designed to promote
participation in the Program. Within 120 days of the date of this order, the
Secretary and the Secretaries of the Treasury and Commerce each shall make
recommendations separately to the President, through the Assistant to the
President for Homeland Security and Counterterrorism and the Assistant to the
President for Economic Affairs, that shall include analysis of the benefits and
relative effectiveness of such incentives, and whether the incentives would
require legislation or can be provided under existing law and authorities to
participants in the Program.
***
The US government is taking other steps to combat state
sponsored cyber-espionage. For example,
one hundred US prosecutors are being trained to prosecute cases involving
cyber-espionage. (Note section 4(e) of
the Executive Order— the start of the “cyberdraft”?).
Have other countries adopted more aggressive policies in
helping the private sector combat cyber-espionage? (Be sure to click on the Office of the National Counterintelligence Executive poster below if you can't read the fine print.)
No comments:
Post a Comment