Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cyber security.
Speaking as part of his state of the union address to Congress, President Barack Obama said that as the cyber threat to critical infrastructure increases, there is a need to improve critical infrastructure cyber security.
He said: “It is the policy of the United States to enhance the security and resilience of the nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
“We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cyber security information sharing and collaboratively develop and implement risk-based standards.”
Within 120 days of this order, Obama said that the attorney general, secretary of homeland security and the director of national intelligence shall each issue instructions consistent with their authorities to ensure the timely production of unclassified reports of cyber threats to the US homeland that identify a specific targeted entity. “The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations,” he said.
He also said that the voluntary information sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
In order to maximise the utility of cyber threat information sharing with the private sector, the secretary of homeland security shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts will provide advice regarding the content, structure and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
Information submitted voluntarily by private entities under this order shall be protected from disclosure to the fullest extent permitted by law, Obama said. A ‘Cybersecurity Framework' will be developed to reduce cyber risks to critical infrastructure and this will include a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks.
A preliminary version of the framework will be published within 240 days and within one year, a final version will be published.
Terry Greer-King, UK managing director for Check Point,said: “Together with the EU cyber security plan announced last week, this is a key step forward for both Governments and business in realising the need to collaborate and share intelligence to fight web attacks, and reduce their impact.”