Grasp Cyber-Security Policymaking

May 7, 2015
Efforts by the Obama Administration fall into five distinct categories

Cyber-security policymaking has become a priority in the executive branch of the U.S. government. More than a dozen federal agencies now have efforts underway to protect private- and public-sector infrastructure from harm caused by malicious computer code. The aim of this article is to make that large assortment of government activities easier to understand by describing five categories that together capture all of it.

1. Mandatory standards. The first category consists of compulsory cyber-security requirements directed at the owners and operators of assets within specific economic sectors that already have been regulated for some time.

Electric utilities, for example, long have been highly regulated by the U.S. government. Their lead federal regulator is the Federal Energy Regulatory Commission (FERC). Ever since late in the Clinton Administration, FERC has ratified and enforced critical infrastructure protection standards developed by the North American Electric Reliability Corporation. Those standards are known as the NERC-CIP.

In 2013, FERC approved NERC-CIP version 5, which deals explicitly with the cyber security of the bulk electric system. It exemplifies U.S. government cyber-security mandates that are directed at owner/operators of critical infrastructure, where the standards target an individual sector that already was heavily regulated and come from an executive branch agency that already regulates that sector.

Another example relates to the chemicals sector. The U.S. Government has regulated chemical facilities in a variety of ways for a long time. In 2007, Congress authorized the Department of Homeland Security (DHS) to develop and enforce mandatory security requirements for large U.S. chemical facilities, i.e., the Chemical Facility Anti-Terrorism Standards (CFATS). Cyber security has featured more and more in the CFATS regulations and guidance documents that have come out during the eight years the program has existed.

2. Voluntary guidelines. The second category also targets owners and operators. However, these government directives are intended to have cross-sector relevance and compliance is not legally mandated.

By the start of the Obama Administration’s second term, decision-makers at the top of the executive branch had determined that some sort of cross-sector policymaking was necessary to increase adoption of basic “cyber hygiene” practices all across the nation’s critical infrastructure. A key aim was to reach the small-to-mid-sized owner/operators that had not yet adopted even the relatively inexpensive practices that would at least foil the fairly unsophisticated attacks that still cause the vast majority of cyber incidents.

The administration knew that non-governmental versions of cross-sector, basic cyber-hygiene guidelines already existed, e.g., the SANS Institute’s “Top 20 Critical Security Controls.” It hoped that, if the U.S. government published under its own byline a short compendium — or restatement — of those existing best practices and publicized that document, then more owner/operators would pay attention to the recommended practices.

The most prominent example is “Framework for Improving Critical Infrastructure Cybersecurity," published in February 2014 by the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. This document is only forty pages long and compiles best practices from multiple standards and guidelines in an easily read format suitable for use in discussions with senior executives.

NIST developed the “Framework” document in a year-long, collaborative and very public process — with five large conferences spread over the course of that year, two periods for the submission of public comments, and a prominent event at the White House to unveil the final product. The Obama Administration hopes the process used to develop the document, the related publicity, and the easy-to-understand final product will generate a much greater readership and use of the document by owner/operator decision-makers than garnered by the pre-existing standards and guidelines from which the content of the Framework is drawn.

3. Guidelines that go beyond owner/operators. The third category of cyber-security policies also consists of measures that are not legally mandated. However, unlike those in Category 2, these guidelines are directed at least in part at the vendors of computerized products such as industrial control systems, rather than exclusively at the owner/operators of the infrastructure the government ultimately is trying to protect.

The government recognizes that vulnerabilities impacting owner/operators exist in both computerized products the owner/operators buy and in the systems configuration they often contract out. It also knows that the owner/operators, as important customers, can significantly influence those suppliers. So the government feels it can apply most of its direct pressure on the owner/operators and rely on them, in turn, to exert secondary pressure through the free market on vendors and system integrators to keep improving the security of their products and services.

For example, even though the controls listed in NIST’s Framework target owner/operators, some of the cross-references listed next to those controls are citations to existing security standards that are directed at control system vendors and systems integrators. In particular, the Framework repeatedly cites International Society of Automation/International Electrotechnical Commission (ISA/IEC) document 62443-3-3, “Security for Industrial Automation and Control Systems, System Security Requirements, and Security Levels.”

In an even starker example, the U.S. Department of Energy (DoE) in April 2014 published the final version of “Cybersecurity Procurement Language for Energy Delivery Systems.” That document, intended to be used by private-sector owners and operators of assets in the production, transfer and distribution of energy, sets out a large number of security-related product requirements that the government recommends these private-sector owner/operators impose on their suppliers of programmable logic controllers, digital relays, remote terminal units, supervisory control and data acquisition systems, distributed control systems, and the like.

So, while the U.S. government primarily is interested in placing its pressure on owner/operators and then having them exert pressure on product vendors and systems integrators, the government has been issuing documents designed to spur that secondary pressure.

4. Government procurement specifications. The fourth category of federal activity consists of cyber-security-relevant procurement specifications issued by large government customers of computerized products and services.

The executive branch is a giant purchaser of information and communications technologies and services from the private sector. Each of the massive executive departments that do most of the purchasing — the Department of Defense (DoD) being the largest, but the General Services Administration (GSA) and the DHS being other examples — has the power to establish technical specifications and other performance requirements for the different categories of products and services it buys.

All major executive branch customers of computerized products and services now are revising their procurement specifications to include more requirements directed specifically at improving the cyber security of their assets. For example, the GSA, which operates most of the executive branch’s civilian buildings, began updating its procurement specifications nearly two years ago. Countless sub-departments of the DoD and the DHS — not to mention the Department of Veterans Affairs, the DoE and others — are now doing so as well.

The executive branch alone makes up such a large portion of the entire American market — and, in some cases, of the total global market — for certain technologies and services that its own procurement specifications can end up reshaping the entire market just as much as if it were imposing regulatory standards on all vendors.

5. Government assistance to the private sector. The last category covers cases where the government is not requiring or even really pressuring the private sector to do anything. Instead, the government simply is providing services aimed at helping the private sector become more secure.

The alerts, advisories, and reports put out by the DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) are prime examples of executive branch assistance to help the private sector be more secure. The alerts that ICS-CERT posts on its website, and the public-private information-sharing hub that ICS-CERT now hosts, are intended to notify critical infrastructure owners and operators of threats or other activity that potentially could impact their assets. In addition, ICS-CERT posts on a different part of its website advisories that do a variety of things, including notifying owner/operators about product security vulnerabilities and exploits, as well as recommending means to address them.

ICS-CERT’s Cyber Security Evaluation Tool (C-SET) is another example of a cyber-security service. C-SET is a free desktop software tool that enables a user to evaluate any given control system or set of information technology network security practices against recognized industry standards. The tool outputs a prioritized list of recommendations for improving the cyber-security posture of the user’s computerized systems.

I’ve only touched upon a few examples of the ongoing cyber-security policymaking in the executive branch, in an effort to distinguish the different categories of that activity. Hopefully, these categories will help you understand the myriad individual government cyber-security initiatives you will encounter in the months and years ahead.

DAVID MCINTOSH is Washington, D.C.-based vice president for government affairs for Siemens Corp. E-mail him at [email protected].