Venable LLP Briefing on Cybersecurity Executive Order
On March 11, 2013 Venable hosted a briefing on the Cybersecurity Executive Order signed by President Obama last month. The Executive Order starts the process of drafting a comprehensive set of cybersecurity standards that will apply to businesses across a series of industries, including energy, telecommunications, defense, financial services, and transportation. Venable partners Jamie Barnett, Stu Ingis, Anthony Rosso, John Bowman, Jim Burnley, Diz Locaria and Brian Zimmet presented the briefing which included Ari Schwartz, Senior Policy Advisor to the Secretary of Commerce, and Adam Sedgewick, Senior Information Technology Policy Advisor at the National Institute of Standards and Technology.
Multiple publications covered the briefing including the March 11, 2013 editions of CSO Magazine, Nextgov, Main Justice, The Hill, and Computerworld.
During the briefing, Zimmet spoke about the Executive Order’s impact on the energy sector. He said the new standards will likely question how a company’s network is designed and configured and who has access to it according to CSO Magazine and Computerworld. “Which ports are open and which ports are closed?" Zimmet said. “You're looking at being able to justify every single open port on your network and being able to articulate a valid business reason for having that port open.” He added that networks in some participating companies could change due to the new standards. “When your network was originally set up by your IT people, they set it up with an eye, generally, toward making the system work and making it as easy as possible for the company to do its business…When you start applying cybersecurity standards to this question, you're really looking at the opposite of what the IT guys were looking at when they designed the network.”
Zimmet was also quoted in Main Justice about excessive regulatory burdens noting that the Federal Trade Commission is “cracking down” on compromised companies. “You get hacked and stuff gets stolen,” he said, “and then the Federal Trade Commission comes along and tells you that your cybersecurity standards weren’t up to snuff.” Moving forward, Zimmet said energy sector regulations would likely serve as a “model” for other accompanies according to The Hill. He advised companies to think about how they manage their networks and warned that critical infrastructure firms might run into problems if they do not comply with the new standards. He said it may be difficult in the long term to secure cybersecurity insurance if companies do not comply.
CSO Magazine and Computerworld also quoted Bowman who spoke about the impact on the financial services industry. He said businesses could be held to the same standard as financial institutions which are required to report cybersecurity breaches. Applying the same cybersecurity rules used by financial institutions to other businesses could impose a “considerable” burden on them, Bowman added.
Locaria, speaking about implications for defense contractors, raised concerns about voluntary participation with the Executive Order. “In terms of the civilian side of things, we’re already seeing effects that are not voluntary,” Locaria said pointing to supply side contractors according to Main Justice. He added that being identified as a high-risk company, or an operator of unspecified “critical infrastructure,” could pull a business into a “quasi-governmental contract” which some companies might not like due to the need for security clearances. He also said stakeholder could be spooked by the classification and businesses not singled out as critical are “not out of the woods because [the government is] going to do this annually.”