On May 5, 2013, Zack Whittaker, an industry reporter, wrote a story published on ZDNet.com revealing that security researchers have discovered a previously unreported zero-day attack that targets U.S. government nuclear weapons scientists and researchers. The article identifies a “previously unknown vulnerability in Internet Explorer 8, which targets U.S. government workers involved in nuclear weapons research”, particularly the Dept. of Energy’s Site Exposure Matrices (SEM) website, which deals with “nuclear-related illnesses.” According to Whittaker, “The malware is linked to “DeepPanda” hackers, which are thought to be based in mainland China.”
This story is but a recent example of how vulnerable even our most sensitive and classified computer systems are to cyberattacks. Recognizing the urgent need to improve the federal coordination of cybersecurity for our infrastructure, and, arguably move us closer to a universal standard for internet and network security, President Obama recently issued Executive Order 13636 titled, “Improving Critical Infrastructure Cybersecurity.”
By its terms, the Order is aimed at our nation’s “critical infrastructure,” that is its “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” These will include oil and gas distribution systems, water plants, the electric grid, air traffic controls, major financial institutions, etc.
The Order is designed to improve information sharing about cyberthreats between government and industry, and establish a “framework to reduce cyberrisks to critical infrastructure. (the Cybersecurity Framework).” . The Cybersecurity Framework (the Framework) is to include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyberrisks. The Framework is to “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”
While the Order uses the word “voluntary” for the owners of critical infrastructure, there are other portions of the Order that seem to imply a national mandatory standard will evolve. The Order directs an assessment of “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” into the procurement process. “The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” Therefore, when the Framework is developed, procurement officers will be adding all or part of it to the procurement process, and defense and other government suppliers and their subcontractors may ultimately be made subject to the increased security standards if they wish to bid on government projects.
Of relevance to a wider audience is the provision that speaks of a voluntary compliance program for all “interested entities”: “The Secretary …, shall establish a voluntary program to support the adoption of the Framework by owners and operators of critical infrastructure and any other interested entities.“
When developed, the Framework may likely become the “de facto” standard for all government contractors, regulated industries, and others with an obligation to maintain confidentiality, e.g., health care providers subject to HIPPA; banks, brokerages and other financial institutions subject to FINRA; credit card processors and retailers bound to observe industry standards by the terms of their merchant agreements with credit cards issuers; and professionals such as lawyers and accountants that hold third party confidential information.
This may not come about as the result of the direct terms of the Order or legislation, but: (i) federal regulators enforcing data protection statutes such as the Gramm-Leach-Bliley Act of 1999 and Sarbanes-Oxley will not be able to avoid establishing the Framework as a minimum (again based on the supposition that the Framework constitutes “industry best practices”), and (ii) the market leaders in many industries will quickly want to qualify as one of the “other interested entities” for marketing purposes, thus both bolstering their position and moving the “industry standard”.
Furthermore, unless Congress specifically provides otherwise, if there is a breach of security, a claim of negligence will easily be made against any company that possesses confidential data that does not choose to comply with the new “industry standards.”
The Framework may also become a part of the Massachusetts Attorney General requirements, or at least its measure of Massachusetts’ businesses compliance with M.G.L. 93H, Section 2(a) (the Data Privacy Statute) that requires the attorney general to “insure the security and confidentiality of customer information in a manner fully consistent with industry standards.” Again, a failure to comply will make an easy target for an attorney general action if there is a breach of security.
With that type of impact, all businesses should be monitoring the discussions and watching for reports discussing the Framework, which is being developed by The National Institute of Standards and Technology (NIST).. NIST is scheduled to publish a preliminary Framework by October 10, 2013, and the final Framework by February 13, 2014. As part of its process, NIST is collecting information about current risk management practices; use of frameworks, standards, guidelines and best practices; and specific industry practices. The first Cybersecurity Framework Workshop was held on April 3, in Washington D.C; and the second will be held May 29 to May 31, 2013 in Pittsburgh, Penn. It may be possible for some business associations to participate and help shape the Framework before it is published.
In all events, each business’ future planning of network security should take into account the development of the Framework and what the impact will be when the standard is established.
If you have questions, please contact John F. Bradley, II , a partner in Prince Lobel’s Corporate Practice. You can reach John at 617 456 8076 or jbradley@PrinceLobel.com.