ISA Policy Positions

Sources: Pan-Association White Paper, ISA Congressional Testimony, ISA Board’s Executive Order Recommendations, ISA Social Contract, ISA Command and Control Disruption Strategy, ISA Risk Management proposal, and other statements

White House Executive Order 13636

February 12, 2013

 In order to create a sustainable system of cyber security wherein both innovation and the nation’s economic prosperity is encouraged, policymakers must not only address technical issues but the economics that drive critical infrastructure cybersecurity investment; More specifically, to encourage increased cyber security, policymakers must implement a market-oriented approach where positive incentives for security are deployed, rather than counter-productive regulatory mandates.Section 1: It is U.S. policy to “enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality…”
“‘Government can . . . assist in broad-scale CI/KR protection through activities such as providing owners and operators timely, analytical, accurate, and useful information…”Section 4(a): It is U.S. policy to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
“Government should consider how it can share more classified and sensitive information, particularly the parts of that information that can help the private sector defend its systems.”Section 4(b): Homeland Security Secretary, AG, and DNI will establish a process that rapidly disseminates “classified reports to critical infrastructure entities authorized to receive them.”
In order to better facilitate information sharing to ensure the widest possible coverage, ISA has proposed an alternative, market-based model wherein elite entities would seek government certification that would enable them to command and control blocking services based on highly sensitive indicators that they have received from the government and other partners.

 

Section 4(c): The Enhanced Cybersecurity Services Indicator Sharing Program “will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”
“Government resources should be applied and existing requirements/regulations assessed to facilitate the ability of critical infrastructure companies to obtain security clearances (facilities and personnel) and to streamline the clearance process.”Section 4(d): The Homeland Security Secretary “shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.”
The government should work with private sector experts “so that their… expertise, analysis, and response capabilities can be shared and leveraged on a sustained basis – not just in times of crisis.”Section 4(e): The Homeland Security Secretary “shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis.”
“[I]nformation sharing for cybersecurity purposes should be transparent and should comply with fair information practice principles.”Section 5: Governmental privacy and civil liberties protections “shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks…”
“ISA proposes that the prescriptions and structures enumerated in the National Infrastructure Protection Plan…[and other documents] become embodied in federal law…The statute would require the use of the partnership model including the primary, but not necessarily sole, use of the designated industry structures, (e.g. PCIS & SCCs) as outlined in the above policy documents and require the development of clear and reasonable processes for consultation and collaboration….”Section 6: The Homeland Security Secretary “shall engage and consider the advice, on matters set forth in this order of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector-Specific Agencies…”
“Government and industry should utilize existing international standards and work through consensus bodies to develop and strengthen international standards for cybersecurity.”Section 7(a): “The Cybersecurity Framework shall incorporate voluntary consensus-based standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.”
“We should discard a controls-based approach in favor of an agile, risk-based security posture that can respond to evolving threats specific to individual industries and companies and the corresponding risk to data and systems. Our approach must be as nimble, as flexible, and as responsive to the threat as the threat is to any controls we could put in place.  Should the US move towards increasing controls, it is important to use international standards and to ensure cross-industry harmonization.”Section 7(b): “The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, … , to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Framework shall focus on identifying cross-sector security standards and guidelines…The Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards…”
“The private sector should not only be part of a government standard-setting regime, but should also assist in improving the existing standards-setting process.”Section 7(d): “In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process.”
“To accommodate the needs of a wide variety of critical infrastructures with different economic models, the public-private partnership should develop a menu of incentives that can be tied to voluntary adoption of widely-accepted and proven-successful security best practices, standards, and technologies.”Section 8(a,d):  Subsection (a) – “The [Homeland Security] Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities…”

 

Subsection 8(d) – “The [Homeland Security] Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program.”

In collaboration with the private sector, the Government should prepare a “detailed report” that identifies and analyzes “a menu of potential pro-active, market based incentives that can be used to offset the incentives to become less secure” and recommends mechanisms “for deploying [these] positive incentives.”Section 8(d): “…the [Homeland Security] Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President…that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.”
The Federal Government in collaboration with its private sector partners – the Sector Coordinating Councils, CIPAC, and other NIPP described structures – should prepare a detailed incentives report that examines, “how to use government procurement to promote greater security.”Section 8(e): “…the Secretary of Defense and the Administrator of General Services, in consultation with the [Homeland Security] Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President… on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

 

“The scope of the Executive Order should be restricted to a narrow subset of the critical infrastructure, wherein a cyber attack would directly result in a catastrophic event. Definitions should be clear and unambiguous, as the designation of ‘cyber critical infrastructure’ is problematic given the nature of interconnected systems and networks. The scope of applicability should be risk-based and clearly identify the problem that is being solved and the desired outcome.”Section 9: “…the [Homeland Security] Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security… The [Homeland Security] Secretary shall apply consistent, objective criteria in identifying such critical infrastructure.”
ISA has proposed that the if the government is considering regulation, it should first undertake an analysis in accordance with Executive Order 13563 that considers whether the proposed regulation’s benefits outweigh its costs and whether there might be alternatives to direct regulation, such as incentives.Section 10(b): “If current regulatory requirements are deemed to be insufficient,” agencies with responsibility for regulating the security of critical infrastructure, DHS, OMB, and the National Security Staff “shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with … Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review…to mitigate cyber risk.”
“Regulatory and legislative mandates and compliance frameworks that address information security” should be analyzed “to create a unified compliance model and to eliminate wasteful overlaps…If compliance with one set of regulations were to be considered compliance with all, the reduction in compliance costs would free-up additional resources to be reinvested in cyber security initiatives, rather than in compliance efforts.”Section 10(c): Within 2 years after publication of the final Framework, consistent with Executive Order 13563…, agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
“Via Congress’ oversight and appropriations responsibilities, the federal government’s own networks should be built and operated to world class standards in terms of security and should set the example for others to match.”Section 10(d): “The [Homeland Security] Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs.”