February 15, 2013 IT SECURITY

Improving Critical Infrastructure ~ Cybersecurity Executive Order Is Signed

During his recent State of the Union address, the President made reference to an executive order on Cyber Security, which he signed on 2/12/13.  The Order is related to not better specified “critical infrastructure”, and here’s an excerpt therefrom:

Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

So, are Credit Unions vital?

Reading the entirety of the order, one might conceive this to be more related to power grid, water systems, refineries and the likes.  In reality though, during his speech, the President made clear reference to the cyber threat our banking system faces.  As such, one must assume that, in his mind, the banking industry at large ispart of our critical infrastructure, and that if cyber criminals or cyber enemies were to take down our banking system, it would have a drastic impact our national economic security.

I have to say, I agree wholeheartedly.

While I’m not certain that if a cyber criminal were to take down one Credit Union, our entire nation would be at risk; I am quite positive that a concerted effort to endanger the entire banking system would be a disaster beyond measure.

Further in the document, we read:

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary [of DHS] shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security …

And this:

(c) The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section

Now, don’t expect your Board of Directors to receive a notification from DHS any time soon.  I highly doubt they’ll be able to identify all the 9,000+ CUs scattered across the US as critical.  Personally, I believe that, in 150 days, all they’ll be able to accomplish within the financial sector is make reference to the largest banks (those who are too large to fail, to be clear), and most likely, no one else.  That doesn’t mean though that you cannot participate in this program.

There’s a small provision for voluntary submission, and, if you’re recognized as critical, you can still participate in the information sharing.

However, the issue I see with this order is ambiguity on the sort of information to be shared.  I’ve glimpsed several recent articles in major newspapers, all with titles such as “the FBI warns Financial Institutions of imminent threats”.


If this is the information they’re sharing, they can keep it.

We don’t need the FBI to tell us our F.I. are under constant attack; in fact, imminent doesn’t even apply anymore – they’re already under a constant, persistent barrage of attacks, and they’re the most attacked because they hold what hackers want most – information that can make them a lot of money, very quickly.

My genuine hope is that the actual information they choose to ultimately share will be much more specific, such that it’ll allow you (and the rest of us) to take proactive actions in defending our networks way before the threat actually strikes.

Having said that, the order is, of course, intentionally generic, and I know all too well it couldn’t have been otherwise.  But it does mention the possibility of including security providers in the information sharing process, which would be a boon for companies such as Network Box USA, particularly if the information reveals to us things we do not yet know.

I guess we’ll just have to wait and see.