In his State of the Union address on Tuesday evening, President Obama singled out cybersecurity as major national security priority, stating:
We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
The President then called on Congress to enact cybersecurity legislation. In addition, the Administration released a new Executive Order and accompanying Presidential Policy Directive providing for greater coordination between national security agencies and the private sector, and for the development of cybersecurity standards through the National Institute of Standards and Technology ("NIST"). The Administration's actions lay the groundwork for addressing at least one problem commonly expressed in the electric industry -- that detailed and specific information about cybersecurity threats is rarely shared by the government, greatly complicating the industry's efforts to address such threats.
The Executive Order calls for several specific measures. First, by mid-August, the Department of Homeland Security is required to develop a procedure for sharing unclassified reports on cybersecurity threats with owners of critical cyber assets, including the electric utility industry. Second, the Executive Order directs NIST to develop a cybersecurity "framework" of standards, methods, and procedures to address cybersecurity risks. The preliminary framework is to be published by mid-October. The agencies with regulatory responsibility are then to comment on the preliminary framework and, if additional changes are needed, the framework is to be finalized within ninety days after publication of the preliminary framework. NIST got a jump on this process on Wednesday by announcing the first steps it will take to develop the cybersecurity framework.
The third step required under the Executive Order is a systematic, "risk-based" assessment to identify critical infrastructure that could, in the event of cyber-sabotage, result in "catastrophic regional or national effects on public health or safety, economic security, or national security." This process is to be completed by mid-July.
The President's remarks on cybersecurity underscore the high profile these issues have taken on among policy makers as information about cybersecurity threats continues to make its way into the public sphere. For example, according to a story in the Washington Post, a recent National Security Estimate found that "the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country's economic competitiveness." According to the report, state-sponsored cyber-espionage is on the rise, and cyber-attacks have been aimed at the energy industry, as well as other key industries and government agencies involved in fields such as finance, technology, and defense.
If you have any questions about the matters discussed in this post, please contact a member of GTH's Energy, Telecommunications, and Utilities practice group. In addition, GTH-Government Affairs offers comprehensive government relations services, including advocacy, research, and strategic advice in both Olympia and Washington, D.C. Maj. Gen. (ret) Tim Lowenberg, a GTH-GA Vice President who recently became Of Counsel to the GTH law firm, has years of experience in cybersecurity issues. For example, he has served as the governor's Homeland Security Advisor, acted as Chair of the National Governors Assocation's Homeland Security Advisor's Council, and was founding Co-Chair of the National Homeland Security Consortium, a group of more than two dozen private- and public-sector organizations with an interest in cybersecurity and other homeland security issues.