Tag Archives: Cybersecurity

Defense Issues Weekly

United_States_Department_of_Defense_Seal.svg (1)

Russia builds up, US cuts unilaterally

The Obama administration is preparing to announce a new round of deep, unilateral  cuts in America’s nuclear arsenal, writes Bill Gertz of the Washington Times.
United_States_Department_of_Defense_Seal.svg (1)
Writing in his weekly Inside the Ring column, Gertz states it will happen “soon” and that a Pentagon “review”, written precisely to “justify” these new, deep, unilateral cuts, will be used for that purpose. The cuts, as many outlets have already announced, may bring the arsenal to as few as 1,000 (or fewer) warheads. Gertz states this “review” was completed, and the decision to cut was made, months ago, but have been withheld from the public so far to prevent Obama from losing the 2012 presidential election.

Obama, having been reelected by the American electorate in 2012, will not to have to face voters ever again.

The result will be not just a deep, unilateral cut in America’s nuclear deterrent, but also a possible cancellation of warhead modernization programs, a replacement for the B-52’s aging cruise missiles (the B-52 has such a huge radar signature it cannot safely enter enemy airspace itself), the new “boomer” (ballistic missile submarine) class, and a plutonium pit producing facility in New Mexico, all of which were promised by Obama in 2010 during the New START ratification debate and in the New START ratification resolution. Construction of the said facility is also mandated by the FY2013 NDAA.

(NOTE: In 2010, this writer warned not to believe or accept President Obama’s modernization promises on the grounds that his word cut not be trusted under any circumstances; however, this writer’s warnings were roundly ignored and 13 Republicans foolishly voted for the treaty. Some of these Republicans are now the same individuals complaining about Obama’s failure to fulfill his promises, even though Obama never intended to keep those promises.)

Meanwhile, the Russian Ministry of Defense has announced it will continue growing its nuclear arsenal and modernizing it substantially, including the development of a new road-mobile ICBM (the Yars-M, tested successfully last year) and a rail-based ICBM (thus further adding to Russia’s arsenal of ICBMs). It also plans to develop a heavy ICBM (the “Son of Satan”) and an ICBM called the “Avangard”, as well as a “pseudo-ICBM” with a range of 6,000 kms, to counter China’s large nuclear arsenal of 3,000 warheads.

The US, on the other hand, does not have any road- or rail-mobile ICBMs and has no plans to develop any, although the USAF is studying such options.

Rail-mobile ICBMs were prohibited by the first and second START treaty, but are not forbidden by the one-sided New START treaty negotiated by the Obama State Department and signed by Obama in April 2010. Russia is now taking advantage of this huge loophole, as well as of the loophole (also found in previous START treaties) that does not count its 171 Tu-22M strategic bombers as such under these treaties. It’s also taking advantage of New START’s extremely weak verification regime, which gives it ample opportunity for cheating.

Concurrently, Russia is modernizing the other legs of its nuclear triad: its next generation bomber is scheduled to enter service in 2020 (as are the forementioned ICBMs), and the first of its new class of ballistic missile submarines, the Yuri Dolgoruki of the Borei class, joined the Russian Navy’s fleet last year.

Historically, Russia, and before it, the Soviet Union, has never complied with any arms control treaty it has signed.

Critics have charged that by cutting the US nuclear arsenal deeply and unilaterally below New START levels, Obama is inviting Russian nuclear blackmail of the US and dramatically undermining US national security, while needlessly dismantling the only weapon type that has never failed for its entire 67-year-long existence.

 Dempsey appeases China

During his visit to China last week, Joint Chiefs Chairman Gen. Martin Dempsey, an Obama appointee, asked China for help in combating cyber attacks.

Despite the well-documented fact that many, if not most cyberattacks on the US originate from China and have been perpetrated by the PLA and other Chinese government entities, Dempsey put his faith in China’s benevolence, asking its leaders for help and proposing Sino-American “cooperation” on the matter.

Such “cooperation” would mean that Chinese government and military personnel would gain intimate access to US computer networks and thus be able to find out how to navigate – or disable – them and how to steal more information from the US government.

Yet, Gen. Dempsey called a Sino-American “working group” recently established “to combat cyber attacks” “both timely and appropriate”, and claimed that cyber attacks do as much damage to the Chinese as to the US economy.

Similarly, last year, Hillary Clinton claimed that both the US and China have been “victims of cyber attacks”, suggesting moral equivalence moral equivalence between the two countries.

Heritage Foundation analyst David Inserra commented recently:

“By turning a blind eye to China’s obvious bad cyber behavior, Dempsey and others are encouraging China to keep hacking, since there will obviously be no consequences from Washington. Even worse, by recommending more cooperation with China on this issue, the Obama Administration is actually rewarding the Chinese for their hacking by allowing them to become more familiar with our cyber systems and cybersecurity responses—and thus better prepared to spy on or disrupt them.(…)

The U.S. should change its approach to China on cybersecurity. China is not a victim on this issue; it is the perpetrator, and the U.S. should take actions that make its hacking more costly and painful—for instance, by calling out Beijing for its bad actions and ceasing to cooperate. The U.S. should also pursue legal and economic actions against Chinese companies that trade in stolen U.S. intellectual property. On top of that, the U.S. should break down Chinese censorship of the Internet and support the free flow of information within China.

Failing to change the U.S. policy toward China’s cyber crimes will only encourage more crime and attacks. It’s time to stand up to China and defend American interests.”

Ray Mabus: cutting warships, playing with boats

Navy Secretary Ray Mabus still insists on decommissioning 7 of the Navy’s newest cruisers while building 55 littoral combat ships that lack appropriate combat power, survivability, and are very vulnerable to cyber attacks.

The Navy’s released FY2014 budget proposal still insists on decommissioning the cruisers .

At the same time, Mabus insists on continuing the Littoral Combat Ship program of building 55 poorly-armed, easy-to-sink boats armed with nothing more than a gun and a few short-range missiles and costing $440 mn each, without counting the cost of their combat modules.

Mabus has hailed the LCS program as “one of our very best shipbuilding programs”, even though it is grossly overbudget and behind schedule and produces poorly-armed boats that cannot defend themselves. Think-tanks such as the CNAS and the Heritage Foundation have called for truncating LCS production.

The Navy’s own shipbuilding plans and girues also show that the service will not reach even its meagre goal – set last December – of reaching 306 ships, let alone the 313 ships the Navy said it needed as recently as December 2011. Indeed, the service’s plans show its ship fleet – especially the fleets of cruisers, destroyers, and submarines – shrinking deeply during the next 2 decades. During and after that period, the Navy’s total ship number will be significantly inflated by LCSes.

Critics, such as House Seapower and Projection Forces Subcommittee Chairman Randy Forbes (R-VA-04), have charged that the Navy is woefully underinvesting in its ship fleet and leaving it too small for the missions of today, let alone those of the future. They claim that, as the US “pivots” to the Western Pacific and continues to attempt to deter Iran in the Gulf, a large ship fleet is needed to keep the peace in both theaters, which are predominantly maritime.

Currently, the Navy is able to meet only 59% of Combatant Commanders’ requests for ships and only 61% of their requests for submarines.

theconsequencesofdefensecuts

Partial remedies have been suggested by think tanks such as the CNAS and Brookings. The former proposes establishing “red teams” to evaluate what it calls the “unconstrained” requirements of COCOMs, while Brookings proposes to station more warships abroad to make more available where they’re needed. It points out that one warship forward-deployed abroad (e.g. in Japan) is worth 4 warships based in the US.

Congressman Forbes proposes to increase the annual shipbuilding budget from $15 bn to $23 bn per year. That budget has been stagnant at $15 bn per year for several years.

Obama Executive Order: Improving Critical Infrastructure Cybersecurity

white_house

white_house

EXECUTIVE ORDER

- – – – – – -

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

 

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1Policy. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.

Sec2Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Sec3Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive-1 of February 13, 2009 (Organization of the National Security Council System), or any successor.

Sec4Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

Sec5Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

Sec6Consultative Process. The Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. As part of the consultative process, the Secretary shall engage and consider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector-Specific Agencies; other relevant agencies; independent regulatory agencies; State, local, territorial, and tribal governments; universities; and outside experts.

Sec7Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.

(b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

(c) The Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.

(d) In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB, owners and operators of critical infrastructure, and other stakeholders through the consultative process established in section 6 of this order. The Secretary, the Director of National Intelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework. The Secretary shall provide performance goals for the Cybersecurity Framework informed by work under section 9 of this order.

(e) Within 240 days of the date of this order, the Director shall publish a preliminary version of the Cybersecurity Framework (the “preliminary Framework”). Within 1 year of the date of this order, and after coordination with the Secretary to ensure suitability under section 8 of this order, the Director shall publish a final version of the Cybersecurity Framework (the “final Framework”).

(f) Consistent with statutory responsibilities, the Director will ensure the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order, and any other relevant factors.

Sec8Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the “Program”).

(b) Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

(c) Sector-Specific Agencies shall report annually to the President, through the Secretary, on the extent to which owners and operators notified under section 9 of this order are participating in the Program.

(d) The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.

(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.

Sec9Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review and update the list of identified critical infrastructure under this section on an annual basis, and provide such list to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

(b) Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section.

(c) The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section.

Sec10Adoption of Framework. (a) Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required under section 9 of this order. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.

(b) If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk.

(c) Within 2 years after publication of the final Framework, consistent with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

(d) The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs.

(e) Independent regulatory agencies with responsibility for regulating the security of critical infrastructure are encouraged to engage in a consultative process with the Secretary, relevant Sector-Specific Agencies, and other affected parties to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

Sec11Definitions. (a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.

(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.

(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).

(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or any successor.

(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.

Sec12General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law.

(b) Nothing in this order shall be construed to impair or otherwise affect the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcement operations.

(d) This order shall be implemented consistent with U.S. international obligations.

(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Barack Obama

BARACK OBAMA

 

 

Source: White House

Obama takes control of the internet with Cybersecurity Executive Order

white_house

white_house

Executive Order on Improving Critical Infrastructure Cybersecurity

Today, President Obama signed an Executive Order to strengthen the cybersecurity of critical infrastructure by increasing information sharing and by jointly developing and implementing a framework of cybersecurity practices with our industry partners.

  • Defense Industrial Base Information Sharing Program Now Open to Other Sectors: The Order expands the voluntary Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
  • NIST to Lead Development of Cybersecurity Framework: NIST will work collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective.

Partnering with Industry to Protect Our Most Critical Assets from Cyber Attack

Today’s new Executive Order was developed in tandem with the Presidential Policy Directive on Critical Infrastructure Security and Resilience also released today. The Executive Order strengthens the U.S. Government’s partnership with critical infrastructure owners and operators to address cyber threats through:
  • New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
  • The development of a Cybersecurity Framework. The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective. To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.
The Executive Order also:
  • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
  • Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.
  • Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.
Building on Progress 
In May of 2009, President Obama declared our digital infrastructure a strategic national asset and made protecting this infrastructure a national priority. As part of this effort, the Obama Administration has:
  • Created the National Cybersecurity & Communications Integration Center: The NCCIC is a 24-hour, DHS-led coordinated watch and warning center that improves our nation’s ability to address threats and incidents affecting critical infrastructure, the Internet, and cyberspace.
  • Issued the National Strategy for Trusted Identities in Cyberspace: The NSTIC and its programs are creating alternatives to passwords for online services that are more convenient, secure, and privacy enhancing.
  • Submitted to Congress Comprehensive Cybersecurity Legislation: The Administration continues to believe that legislation is needed to fully address this threat. Existing laws do not permit the government to do all that is necessary to better protect our country. The Executive Order ensures that federal agencies and departments take steps to secure our critical infrastructure from cyber attack, as a down-payment on expected further legislative action.

Source: White House

Entrust CEO and Congressman Burgess Outline Cyber Defense Needs

Without clear protection and guidelines, small- to mid-sized enterprises need to defend assets against online attacks, cybersecurity expert says

ENTRUST LOGO / Entrust logo. (PRNewsFoto/Entrust, Inc.)DALLAS, Aug. 30, 2011 /PRNewswire/ — Entrust, Inc., a global leader in securing online identities and information, today participated in a cybersecurity forum in Highland Village, Texas. Entrust President and CEO Bill Conner joined U.S. Congressman Michael C. Burgess (TX-26), M.D., as well as University of North Texas senior technology director Charlotte Russell, and Gold’s Gym Senior Vice President and CIO Bill Wade, to discuss how small- to mid-sized businesses can protect themselves against cyber attacks.

“Unfortunately, today’s small- and mid-sized businesses do not have the same protection as large corporations and individuals, so it is extremely important that smaller enterprises make cybersecurity a priority,” said Conner. “In this economy, security may fall by the wayside, but the cost to deploy it is dwarfed by the cost of what’s at stake. Businesses do not know where an attack will come from, so it is crucial that they have cyber defense measures in place, as they could be struck with a large financial loss or take a credibility hit with their customers.”

>> Read Now: Transcript of Bill Conner’s Speech from the Cyber Security Forum

The forum was hosted by the Flower Mound, Texas, and Lewisville, Texas, chambers of commerce, and the Highland Village Business Association. The event’s speakers and panel discussion focused on what measures small- to mid-sized businesses need to have in place to protect against cybersecurity attacks.

“Having a defense against cyber attacks is critical for organizations of all sizes,” said Conner. “Cyber criminals will search for any hole in a company’s security measures and take advantage of it, utilizing such channels as online banking. This is cyber warfare and it takes everyone — government, major organizations, small businesses and individuals — working together to win.”

Entrust enables organizations and government agencies to easily and effectively manage security across a range of users and applications. The company offers a range of authentication and credentialing capabilities that cover physical, logical and mobile access.

A trusted provider of identity-based security solutions, Entrust empowers enterprises, governments, financial institutions, citizens and websites in more than 4,000 organizations spanning 60 countries. Entrust’s customer-centric focus is the foundation to delivering organizations an unmatched level of security, trust and value. For strong authentication, credentialing, physical and logical access, mobile security, digital certificates, SSL and PKI, call 888-690-2424, email [email protected] or visitwww.entrust.com. Let’s talk.

Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. InCanada, Entrust is a registered trademark of Entrust Limited. All Entrust product names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners.

SOURCE Entrust, Inc.

CONTACT: Lindsey Jones of Entrust, Inc., Media Relations, +1-972-728-0374, [email protected]